Privacy policy for account and receipt data

Document

Privacy Policy

Last Updated: 2026-03-14

Version: 1.0.0

1. Data Controller

The data controller responsible for data processing is:

Serhat Coban

LoRen IT

Mühlenstraße 8a

14167 Berlin

Germany

Email: snapsort@loren-it.com

Support: support@loren-it.com

Serhat Coban operates as a sole proprietor under the trade name LoRen IT.

2. Categories of Data

Depending on how you use snapsort, we process in particular:

account and sign-in data such as email address, password hash, and optional profile data,
receipt and invoice data such as uploads, OCR output, manual corrections, categories, and notes,
group and budget data when you use shared expense or planning features,
subscription and invoice data for paid access,
technical and security data such as IP address, timestamps, browser/device details, and logs,
support and communication data when you contact us.

3. Purposes and Legal Bases

| Purpose | Examples | Legal basis |

|---------|----------|-------------|

| Providing the account and app functions | sign-in, receipt management, budgets, groups, exports | Art. 6(1)(b) GDPR |

| Subscription and payment handling | Premium checkout, invoices, payment status | Art. 6(1)(b) GDPR |

| Support and service communication | replies to requests, account-related notices | Art. 6(1)(b) GDPR / Art. 6(1)(f) GDPR |

| IT security, abuse prevention, and troubleshooting | logs, access protection, rate limits, CSRF/session safeguards | Art. 6(1)(f) GDPR |

| Legal retention and compliance duties | invoice and payment records | Art. 6(1)(c) GDPR |

4. How Data Is Used in the Service

The public website is limited to informational pages, legal/support content, account registration, and purchase or management of web subscriptions. Receipt capture, OCR review, budgets, groups, and exports are provided through the mobile apps.

4.1 Registration and Sign-In

For registration we process your email address and a password hash. If you sign in with Google or Apple, we receive the data required to authenticate you and populate your profile from the provider you choose.

4.2 Receipt Processing and OCR

When you upload receipts or invoices, we process the file, store the related content in our application systems, and generate structured data from it. snapsort uses OpenAI for OCR-assisted text recognition and structuring. Uploaded files or derived image data and processing instructions are transmitted to OpenAI for that purpose.

OCR results are not guaranteed to be correct. Please review extracted content before relying on it.

4.3 Groups, Budgets, and Exports

If you use group features, the information needed for shared expense management is made available to invited or otherwise authorized group members. Export files are generated on request and made available for download. Export archives remain available for up to 24 hours.

4.4 Payments and Subscriptions

For paid web subscriptions, we use Stripe for checkout, billing, and the customer portal. Payment details for web subscriptions are processed directly by Stripe. We receive only the information required to manage subscriptions, invoices, and payment status. A web-managed subscription unlocks Premium access in the supported mobile apps; the public website itself does not provide receipt-management or budgeting functions.

For iOS in-app purchases, Apple processes the purchase through the App Store / StoreKit. For Android in-app purchases, Google processes the purchase through Google Play / Play Billing. For mobile store-managed subscriptions, we use RevenueCat to synchronize subscription status with our backend and unlock entitlements.

4.5 Emails

We use Resend for transactional emails such as verification, export, and subscription messages.

5. Recipients and Service Providers

Depending on use, the following categories of recipients may be involved:

hosting and storage providers used to operate snapsort,
Stripe for paid web subscriptions,
Apple App Store / StoreKit for iOS in-app purchases,
Google Play / Play Billing for Android in-app purchases,
RevenueCat for synchronization of mobile store-managed subscriptions,
Google or Apple if you choose those sign-in options,
OpenAI for OCR-assisted receipt processing,
Resend for transactional email delivery.

6. Retention

We keep personal data only as long as needed for the relevant purpose. Key criteria include:

| Data category | Typical retention / criterion |

|---------------|-------------------------------|

| account, profile, receipt, and group data | while your account remains active |

| export archives | up to 24 hours after creation |

| temporary upload files | typically up to 2 hours |

| temporary OCR files | typically up to 6 hours |

| accounts marked for deletion | 30 days until permanent deletion unless recovered |

| invoice and payment records | as required by applicable legal retention duties |

7. Cookies and Similar Storage

For core web functionality, we use cookies including:

| Name | Purpose | Duration |

|------|---------|----------|

| `better-auth.session_token` | sign-in and session management | depends on session lifetime |

| `csrf_token` | CSRF protection | session |

Additional display or convenience settings may be stored in browser or app-local storage depending on the surface. The public legal and pricing pages do not require a marketing cookie.

8. Your Rights

Subject to applicable privacy laws, you have rights of access, rectification, erasure, restriction, data portability, and objection to processing based on legitimate interests.

You can start account deletion while signed in. This marks the account for deletion, invalidates active sessions, and schedules permanent deletion after 30 days. The account can be recovered during that period. If you no longer have account access, you can contact us at snapsort@loren-it.com.

You also have the right to lodge a complaint with a competent supervisory authority.

9. Security

We use technical and organizational measures to protect personal data, including access restrictions, session and CSRF safeguards, transport encryption, and logging of security-relevant events. Absolute security cannot be guaranteed.

10. Contact

For privacy questions, contact: